Day 1 at Houston Security Conference
The vibrancy surrounding the 2022 Houston Security Conference (aka HOU.SEC.CON) is electric. This event has gotten better and better every year, and I am extremely excited to take part in this again this year. I’ll be writing about some of my experiences, some of the speakers I visited (not all), and the festivities. Lastly, I’ll conclude with my thoughts on what I took away from the conference and how it will help me in my current employment.
Waking Up In Infosec
Hearing Jennifer Minella as the Keynote speaker is refreshing. Jennifer Minella is the Founder and Principal Advisor for Viszen Security, an official Forbes Technology Council member, and an Advisory CISO for Carolina Advanced Digital organization. In the world of Information Technology, Operational Technology, and Cybersecurity, it is more important to talk about organizational culture, leadership, and team collaboration within businesses and organizations. Many people look at IT and Cybersecurity as only the technology gurus. Minella talks about mindfulness, taking care of yourself, and making sure we focus on our purpose. Minella is extremely open, honest, and brave in sharing her experiences. Her keynote helped me understand that there is way more to life than work. We must be mindful, and continue to remind ourselves about our true purpose, and remember why we do what we do.
Enterprise Threat Hunting with Jupyter Notebooks
The next speaker is Ross Burke, who is a Senior Security Consultant at Mandiant. He was my instructor at the University of Houston while I was completing my masters program in Cybersecurity. Burke covers enterprise threat hunting while using Jupyter Notebooks. He also focuses on what true threat hunting is, and how important it is to use the methodology Hypothesizing, Assessing, Acquiring, Analyzing, and Actioning (H.A.A.A.A.) (H4A).”Hypothesizing the threat, Assessing the threat against your organization, Acquiring the data needed, Analyzing the data to find threat actors, and Actioning your findings discovered during a hunt.” Ross goes over Jupyter Notebook and a threat hunt example that he created and goes into detail about what to look for and how to deal with certain events that you may find. He has a vast knowledge of the cybersecurity industry from being a SOC analyst, to now being a senior consultant. He shares so much wisdom on what to look for, how to react to events, detections, and threats plaguing organizations.
I did visit other speakers and of course had to visit the lock picking village provided by the Houston Locksport organization.
Day 2 at Houston Security Conference
Detecting the Bear
Day two started with some extra caffeine and speaker Mark Bowling, the VP of Security Response Services at ExtraHop. Bowling’s speech is called “Detecting the Bear” and focuses on effective monitoring, and detection. Bowling is a big proponent of detecting the threats and having the right understanding for the best perception of the threat. There are differences between detection vs. perception. You don’t just want to detect but perceive the incoming threats. Bowling also talks about Bears, not the Chicago Bears, but the Russian hacking groups that are often nicknamed “Bears” (ex: Fancy bear, Cozy Bear). “Sometimes, you get the bear, and sometimes, the bear gets you!” Bowling exclaimed while emphasizing the importance of detecting the bear. Detection without understanding causes alert fatigue. Understanding without detection is blindness. Both detection and understanding is needed to have the perception. “Detection is Integral to Identification and then Investigation”. Bowling talks about processes and procedures needing to be tested and maintained before they are necessary. Bottom line have an Incident Response plan, and test it! “It’s all about preparation” says Bowling. “Bears can harm you if you aren’t careful.”
After this talk, I make my way back to the village for more lock picking. And yes I have my own lock-picking set that I brought with me.
The Future of Cybersecurity is Data Security
Next, I visit the talk titled “The Future of Cybersecurity is Data Security” presented by Todd Barton, the VP of Sales Engineering at Rubrik. “Our job is to decrease the ROI to the advisory.” Todd exclaims. Thinking must change. IT and security have competing priorities. IT tries to connect everyone, while security tries to keep people out so it is important that we all work together. Some of the biggest problem for organizations happens at the data level.
Security has to happen at the data level. Ransomware has begun targeting backup systems, so recovery becomes difficult with modern ransomware. This means data protection has to change. We have to have native immutability, we need to identify the risks and manage that risk and compliance, and finally, enable data to fight back using Artificial Intelligence / Machine Learning that is powered by intelligent methodologies.
The Information Security Talent Shortage That Wasn’t
Another talk “The Information Security Talent Shortage That Wasn’t” from Alex Humphrey, a Security Consulting Lead at Critical Start. Alex Humphrey goes over how he disagrees with experts, the philosophy, and how to implement better models for security experts.
Everyone agrees that there are not enough people (including Critical Start, Alex’s employer), but “what if everyone else is wrong?” He admits that this may be hubris, but if we adjust the culture of the organization to focus on securing differently then we may be able to tackle this better.
The biggest issues facing organization that they state are phishing, ransomeware, and patching vulnerabilities. However; are these the most important issues facing the organization? The organization doesn’t exist to support the security of its equipment. The organization is there to provide a service or goods to people. Focusing on business objectives is what we need to do. More precisely, “Focus on the security problems related to your fundamental business objectives”. In the manufacturing environment the manufacturing team should be securing the manufacturing environment and business objectives. The software development teams, should be focusing on securing the software development along with the business objectives. This shift in thinking may help bring security to the planning stage, and not the lessons learned stage of managing the business.
Hire, Train, and Create Opportunities
Seek out Security folks who are doing or are interested in doing security work related to your organization’s business goals. Budget funds for ongoing, business objective focused training for the security team. Encourage experimentation and cross-team support for the security team. Hold the security team accountable to enabling business objectives securely.
Partner with third parties to do commoditized security work.
The other stuff still matters (network, endpoint, email, identity, cloud. Work with partners whose business objective is to investigate, triage, and respond to commoditized security events. DR, Consultants, and MSSPs help fill these gaps. This was a realization I had and found it very difficult to convince leadership to embrace.
These talks are just some of the ones I attended at HOU.SEC.CON. I enjoyed the whole event and I got so many takeaways. Not to say there wasn’t other valuable topics that were discussed, the talks I covered were some on some of the topics that could help my well being, the health and security of my organization, and the stability of the culture within the organization I am currently employed. I really appreciated all the topics that were discussed as, they all try to solve issues people have in work, life, and cybersecurity.
Until next years HOU.SEC.CON, stay secure.